[google-translator]

SMS Policy And Opt In / Out Process

Overview

This policy defines how Northcott Global Solutions Ltd (NGS) manages consent for electronic communications delivered through the following systems:

1.       Touchdown |  Emergency Notification System

2.     SIREN | Emergency Notification System

It establishes clear procedures for obtaining, recording, maintaining, and withdrawing user consent in compliance with:

  • UK GDPR and Data Protection Act 2018
  • EU GDPR and ePrivacy Directive
  • UK PECR (Privacy and Electronic Communications Regulations)
  • US Telephone Consumer Protection Act (TCPA) and CAN-SPAM Act
  • Canadian PIPEDA
  • ISO 27001 A.18 Information Security Compliance Requirements
 

The objective is to ensure transparency, accountability, and legal defensibility in all ENS communication activities.

Scope

This policy applies to:

  • All NGS ENS platforms (Touchdown and SIREN).
  • All NGS employees, contractors, and partners administering ENS communications.
  • All Client Contacts, Users, or Recipients who receive SMS, email, or push notifications via ENS.
  • All Client Data Controllers contracting with NGS to operate ENS services.
 

It covers all data types used for ENS messaging: names, phone numbers, email addresses, and any identifiers required to transmit notifications.

Definitions

Term

Definition
Client Data Controller The organisation purchasing or using the ENS platform, responsible for ensuring lawful basis for contact.
NGS (Data Processor) NGS processes data strictly under Client instruction, providing the platform and audit trail.
Contact / User Any individual whose details are uploaded to the ENS platform.
Opt-In Active, informed consent by a Contact to receive ENS notifications.
Opt-Out Withdrawal of consent or refusal to receive further ENS notifications.
Passive Conduit NGS’s role in transmitting messages on behalf of Clients without altering or analysing the content.

Lawful Basis for Processing

NGS processes ENS data under oneor more lawful bases:

  • Contractual necessity – to provide ENS services requested by the Client.
  • Legitimate interest – where ENS alerts are required for duty-of-care, security, or life-safety obligations.
  • Consent – where individuals voluntarily opt in to receive notifications (especially for Touchdown users or marketing communications).
 

Clients must determine and document their chosen lawful basis. NGS will assist by providing standard consent language and templates.

Opt-In Process

Initial Registration

  • When a Client uploads contacts to the ENS system, an automatic Opt-In SMS or email is generated.
  • The message identifies the Client, explains the purpose of communications, and includes secure links to:
    • Confirm consent (“YES”, “I agree”, or equivalent).
    • View this ENS Opt-In / Opt-Out Policy.
    • Contact NGS for queries. 
 

Active Confirmation

  • Consent is captured through one of the following methods:
    1. Clicking a unique web confirmation link.
    2. Replying “YES” or “ACCEPT” to the SMS message.
    3. Completing an online consent form hosted on NGS servers.
  • The system automatically records: name, mobile number, timestamp, IP address, and method of confirmation.
  • Each record is retained for a minimum of 24 months for compliance and audit.
 

Touchdown vs SIREN

  • SIREN: Automated Opt-In SMS sent upon addition; audit trail managed within the platform.
  • Touchdown: Opt-In confirmation managed via Client HR or registration portal; NGS requires evidence of consent prior to activation.

Opt-Out Process

Withdrawal of Consent

Recipients can withdraw consent at any time by any of the following means:

Method

Action

Processing Time

SMS reply

Reply “STOP”, “OPT OUT”, or “UNSUBSCRIBE”

Immediate

Email

Click “unsubscribe” or “manage preferences”

Immediate

Email request

Send request to privacy@northcottglobalsolutions.com

Within 24 hours

Client HR or administrator portal

Remove user from ENS database

Within 24 hours

Confirmation & Retention

  • A confirmation SMS or email is sent to acknowledge successful opt-out.
  • A minimal log (name, date/time, method, administrator ID) is kept for compliance for two years.
  • After this period, records are securely destroyed in line with the NGS Data Retention & Disposal Policy.

Client Responsibilities

  1. Lawful Data Collection – ensure all uploaded contacts have consent or other lawful basis.
  2. Transparency – include NGS’ ENS policy link in employee communications or internal privacy notices.
  3. Accuracy – maintain up-to-date and verified contact data.
  4. Data Minimisation – upload only data strictly necessary for alerting.
  5. Deletion Requests – act promptly on any deletion request from a Contact and notify NGS.
  6. Audit Readiness – cooperate with NGS’ annual audits and provide evidence of opt-in consent when requested.

NGS Responsibilities

NGS will:

  • Operate the ENS platform as a Data Processor, following documented Client instructions only.
  • Maintain ISO 27001-aligned technical and organisational controls, including:
    • Encrypted data at rest and in transit (AES-256 / TLS 1.3).
    • Multi-factor authentication for administrators.
    • Segregated client data environments.
    • Secure logging and change management.
  • Provide annual compliance evidence (ISO 27001 certificate, SOC 2 Type 2 summary).
  • Respond to any data subject rights requests received directly, notifying the Client within 24 hours.
  • Notify Clients of any personal data breach within 72 hours, in line with the NGS Data Breach Notification Policy.

Cross-References & Linked Policies

The following NGS policies are directly relevant to ENS data management and must be publicly available:

* Policy available upon request

Policy

Purpose /
Audit Relevance

NGS Back Up Policy

Business continuity & data resilience (ISO 27001 A.17).

NGS Data Breach Notification Policy

Incident response timelines (A.16).

NGS Data Protection Policy

GDPR compliance and processing framework.

NGS Data Classification Policy

Information labelling and access control.

NGS Digital Access Control Policy

Authentication and privilege management.

NGS Information Security Policy

Core ISO 27001 framework document.

NGS Information Disposal Policy

Secure destruction of data assets.

NGS Information Retention Policy

Retention periods and erasure controls.

NGS Information Transition Policy

Data transfer and handover controls.

NGS Password Policy

Authentication complexity standards.

NGS Privacy Policy

Overarching data processing and marketing consent.

Data Security and Resilience

NGS maintains an integrated Business Continuity and Disaster Recovery Plan, ensuring:

  • 99.9 % platform availability.
  • Daily data back-ups with geo-redundancy.
  • Annual penetration testing by CREST-accredited providers.
  • Regular testing of failover and alert delivery paths.
 

Resilience controls are audited yearly under ISO 27001 and SOC 2 Type 2.

Data Subject Rights

All ENS recipients retain their rights under GDPR, including:

  • Access, rectification, and erasure of their data.
  • Restriction or objection to processing.
  • Portability (where applicable).
    Requests should be submitted to privacy@northcottglobalsolutions.com and will be acknowledged within five working days.

Monitoring and Audit

  • The DPO monitors opt-in/opt-out statistics quarterly.
  • Compliance with this policy forms part of the ISO 27001 internal audit programme.
  • Deviations or breaches trigger corrective actions and, where necessary, staff retraining.

Compliance Statement

NGS confirms that this policy forms a mandatory part of its ISO 27001 Information Security Management System and that no ENS service shall be activated without verified client consent and lawful processing basis.

Powered by  GDPR Cookie Compliance
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.